Home / malware TrojanDownloader:Win32/Zlob.AOQ
First posted on 09 February 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Zlob.AOQ is also known as Also Known As:Trojan.Downloader.Zlob.ACSB (BitDefender), Trojan-Downloader.Win32.Zlob.aoly (Kaspersky).
Explanation :
TrojanDownloader:Win32/Zlob.AOQ is a generic detection for a trojan that downloads other malware. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
TrojanDownloader:Win32/Zlob.AOQ is a generic detection for a trojan that downloads other malware. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.
Installation
TrojanDownloader:Win32/Zlob.AOQ may arrive in the system when the user browses to a malware site or clicks to download a fake codec for a video. It is usually installed in the Windows system folder using a variety of file names. Some of the file names it may use are the following:
hpmon.exe
hpmom.exe
qttaskm.exe
browseu.exe
hpmun.exe
setup.exe
qttasku.exe
itunesu.exe It may also arrive as a DLL file using varying names. This DLL is registered as a Browser Helper Object (BHO) by the presence of registry subkeys and entries in the following keys:
HKLMSoftwareMicrosoftInternet ExplorerToolbar
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
HKLMSoftwareClassesCLSID For example:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{144A6B24-0EBC-4D89-BF09-A06A718E57B5} These registry entries are usually pre-existing and may have been created by other malware. It may create the mutex "securityinternet". Other components of this trojan may be located in subfolders within the Program Files folder, for example:
%ProgramFiles%WebMediaViewer"
"%ProgramFiles%VirusTriggerBin"
Payload
Modifies Internet Explorer Settings
TrojanDownloader:Win32/Zlob.AOQ may modify the Internet Explorer default Search engine or Home Page. A sample website to which these settings may be altered to is "windiwsfsearch.com".
Analysis by Patrik VicolLast update 09 February 2009
